Transparent Tribe Deploys Adaptive RAT Campaign Against Indian Government and Academia

Security firm CYFIRMA has linked a new campaign by Transparent Tribe (APT36) to targeted attacks against Indian government, academic and strategic organisations using a remote access trojan (RAT) that gives attackers persistent control of compromised machines. The operation begins with a spear‑phishing email containing a ZIP archive with a Windows shortcut (LNK) file disguised as a PDF.

Opening the shortcut launches mshta.exe to run an HTA script that decrypts and loads the RAT into memory while also opening a decoy PDF to avoid suspicion. CYFIRMA said the HTA uses ActiveX objects such as WScript.Shell for environment profiling and runtime manipulation to improve execution reliability on target systems.

The malware adapts its persistence mechanism based on detected antivirus products. If Kaspersky is present it writes an obfuscated HTA under C:\Users\Public\core\ and drops a Startup LNK to launch it via mshta.exe. If Quick Heal is found it creates a batch file and malicious LNK in Startup and calls the HTA via the batch script.

For Avast, AVG or Avira the payload is copied into the Startup directory and executed. If no recognised AV is detected the actor falls back to a mix of batch files, registry persistence and payload deployment. A second HTA drops a DLL named iinneldc.dll that acts as a full RAT, providing remote system control, file management and exfiltration, screenshot capture, clipboard manipulation and process control, CYFIRMA reported.

Key Topics

Tech, Transparent Tribe, Cyfirma, Remote Access Trojan, Lnk File, Hta Script